System and method for computer authentication with user modification of an image using a shared secret

ABSTRACT

Computers can be authenticated using a shared secret. During an authentication process, a server transmits an image to a client. A mobile device captures and analyzes the image. If the image contains the shared secret known only to the authentic server and the authentic mobile communication device, the mobile device can authenticate the server. The secret in the image can be readily analyzed. A single image may contain multiple shared secrets. Once the server has been authenticated, the user must modify the image in accordance with a shared modification secret to thereby authentic the user. The modified image is transmitted back to the authenticated server. If the image was properly modified, the user is authenticated.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present disclosure is directed to authentication systems in general and, more specifically, to a system and method for computer authentication using modification of an image using a shared secret.

2. Description of the Related Art

Early computer systems usually involved a large mainframe computer to which a number of terminals were directly connected. In early computer systems, these terminals were often in the form of teletype machines. Early computers also had card readers that were also directly connected to the machine. Network security generally involved simply providing a user identification (ID) and password.

The development of networked computer systems and a client server architecture meant that computer terminals were often connected together over great distances using a wide-area network (WAN), such as the Internet. Early computer terminals evolved from a “dumb” terminal to sophisticated computers with a significant amount of computing power in each of the various system servers and clients.

Computer security has become a much greater concern because of the accessibility of many computer networks via a WAN. Early computer security was generally directed towards authentication of a user wishing access to a computer system or network. Different techniques have evolved to provide authentication of the user. The most common form is a user name and password that should be known only to the individual user and to the server with which the user wishes to connect.

Although techniques have been developed to authenticate a user wishing access to a computer system or network, there is still a significant need for techniques to authenticate the computer system or network to the user. For example, a user accessing a bank account via the WAN wants to be sure they are communicating with their bank instead of an unscrupulous computer server that “spoofs” the actual bank website. If the user is fooled into believing that they have accessed their bank website, the user may unknowingly divulge confidential information such as user names, passwords, account numbers, credit card numbers, and the like. Unfortunately, the user often discovers the spoofing only after their account has been hacked and money has disappeared from their account.

Therefore, it can be appreciated that there is a significant need for techniques for computer and user authentication. The present disclosure provides this, and other advantages, as will be apparent from the following detailed description and accompanying figures.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

FIG. 1 is an exemplary embodiment of a system architecture constructed in accordance with the present teachings.

FIG. 2 is a functional block diagram of a server constructed in accordance with the present teachings.

FIG. 3 is a functional block diagram of a mobile communication device constructed in accordance with the present teachings.

FIG. 4 is a flow chart illustrating an exemplary embodiment of the system to establish a secret shared between the client and server computers.

FIG. 5 is a flow chart illustrating an exemplary embodiment of the system to authenticate a server using the shared secret established in FIG. 2.

FIG. 6A is an example of an image in which there is a secret geometric relationship between elements of the image.

FIG. 6B is an example of the image of FIG. 6A modified by a user in accordance with a shared modification secret.

FIG. 7A illustrates an alternative embodiment of an image with a geometric relationship between elements.

FIG. 7B is an example of the image of FIG. 7A modified by a user in accordance with a shared modification secret.

FIG. 8A is an image illustrating a secret mathematical relationship between elements.

FIG. 8B is an example of the image of FIG. 8A modified by a user in accordance with a shared modification secret.

FIG. 9A is an alternative embodiment of an image illustrating a mathematical relationship between the elements.

FIG. 9B is an example of the image of FIG. 9A modified by a user in accordance with a shared modification secret.

FIG. 10A is an image illustrating a particular number or type of elements in the secret relationship in the image.

FIG. 10B is an example of the image of FIG. 10A modified by a user in accordance with a shared modification secret.

FIG. 11A is an alternative embodiment to FIG. 6 illustrating a particular number or type of elements in the image.

FIG. 11B is an example of the image of FIG. 11A modified by a user in accordance with a shared modification secret.

FIG. 12A is an image illustrating a type of element in the secret relationship in the image.

FIG. 12B is an example of the image of FIG. 12A modified by a user in accordance with a shared modification secret.

DETAILED DESCRIPTION OF THE INVENTION

As noted in the background section, early computer security generally related to the problem of user authentication. However, the development of sophisticated computer networks or distributed networks accessible via a wide-area network (WAN), such as the Internet, have given rise to a need for the authentication of the computer system as well as the individual. In one example provided above, an individual wants to authenticate their bank computer network prior to providing any confidential information to an unauthenticated computer network. Similarly, government or military computer networks have a great need for increased security in the form of computer network authentication in addition to authentication of the individual seeking access to the computer network. That is, it is important for a user to authenticate that they are truly accessing a government or military computer network prior to disclosing any confidential or proprietary information. Similarly, large businesses may have distributed computer networks and employees accessing the network must be authenticated to the computer system. In addition, the techniques described herein can be used to authenticate the computer to the individual. Specifically, a secret is initially shared between two elements in the system. At least a portion of the shared secret is known to the user. At a subsequent time, when authentication is required, one system element creates an image using the shared secret and transmits that image. The other system element with knowledge of the shared secret captures the image and analyses it to determine if it was constructed in accordance with the shared secret. Since the shared secret was known only to two trusted elements within the system, if the image contains the shared secret, those elements can be authenticated. Furthermore, the user knows at least a portion of the shared secret, referred to herein as a shared modification secret, that will permit the user to modify the image and transmit the modified image back to the element of the system that generated the image to thereby authenticate the individual as well as the system elements.

The present disclosure is embodied, in one example, in a system 100 illustrated in FIG. 1. A computer 102 having a display 104 is coupled to a network 106, such as the Internet, via a communication link 108. The computer 102 includes a network interface controller (NIC) (not shown) to provide the necessary connectivity to the communication link 108. The network 106 in FIG. 1 generically represents networks and typically would represent a wide-area network (WAN). The network 106 may be implemented as the Internet, or a private WAN. The system 100 is not limited by the specific form of the network 106. The system 100 provides a technique to verify the identity of a user of the computer 102 as well as the computer 102 and the server 110. Once example of user authentication is described in pending U.S. application Ser. No. 12/961,392 filed on Dec. 6, 2010, entitled “System and Method for Identity Verification on a Computer,” and assigned to the assignee of the present disclosure. That application is incorporated herein by reference in its entirety. The computer 102 may be a private computer (e.g., an individual's personal computer) or a public computer (e.g. in a library or hotel lobby). Furthermore, although the computer 102 is illustrated as a personal computer, those skilled in the art will appreciate that the principles of the system 100 are applicable to any computing device capable of rendering images, such as an automated teller machine (ATM), point-of-sales (POS) terminal, or the like. Thus, the system 100 is not limited to a particular form of computing device.

The system 100 includes a server 110 coupled to the network 106 via a communication link 112. In the following discussions, the server 110 generically represents the computer system or computer network which requires authentication to the user of the computer 102. Those skilled in the art will appreciate that the server 110 can be implemented in a variety of different fashions as a single server, multi-server, large frame computer, or the like. The server 110 may also represent a computer network, such as a government, military, or corporate computer network that the computer 102 wishes to access. The system 100 is not limited by the specific implementation of the server 110.

As will be described in greater detail below, the server 110 may initiate the authentication process. For example, the server 110 could host a website for on-line purchases. Alternatively, the server 110 may host the website for a bank or other financial institution. In yet another alternative embodiment, the server 110 may host a secure website, such as a business, law firm, or the like. In this embodiment, the server 110 effectively acts as a gateway and may provide access to a secure local area network (LAN). If the computer 102 wishes to access the server 110, the server initiates the user authentication process. In a simple embodiment, user authentication may simply be a user ID and password. Other authentication processes, such as described in the above-referenced patent application (U.S. application Ser. No. 12/961,392) may be used.

In one embodiment, the system 100 utilizes a mobile communication network, such as a public land mobile network (PLMN) 120 coupled to the network 106 via a communication link 122. Those skilled in the art will appreciate that the communication links 108, 112, and 122 may be implemented in many different forms, including hard wired, fiber optic, microwave, wireless, or the like. For example, the communication link 108 connecting the computer 102 to the network 106 may be implemented using a dial-up modem, cable modem, satellite connection, wireless network, or the like. The system 100 may be satisfactorily implemented by one or more of these technologies, alone or in combination, for the communication links 108, 112, and 122. The system 100 is not limited by the specific form of these communication links.

A base station 126 is coupled to the PLMN 120 via a backhaul communication link 128. Those skilled in the art will appreciate that a typical wireless communication network, such as the PLMN 120, includes a large number of base stations. However, for the sake of clarity, FIG. 1 illustrates only the base station 126.

A mobile communication device 130 is coupled to and in communication with the base station 126 via a wireless link 132. The mobile communication network, including the PLMN 120, base station 126, and mobile communication device 130 are illustrated in FIG. 1 as a generic wireless communication system. Those skilled in the art will appreciate that the elements of FIG. 1 that make up the wireless network may be implemented in accordance with any known wireless communication system. For example, the PLMN 120, base station 126 and mobile communication device 130 may be implemented in accordance with any known communication protocol, such as GSM, CDMA, WiFi, WiMAX, 3G, 4G, LTE, or the like. Operational details of these various communication protocols are known in the art and need not be described in greater detail herein.

As will be described in greater detail below, the server 110 generates an image 134 in accordance with the shared secret and transmits the image to the computer 102 via the network 106. The image 134 is shown on the display 104. In one embodiment, the shared secret is known to both the server 110 and the computer 102. In this embodiment, the computer 102 may analyze the image 134 on the display 104 to determine if it was created in accordance with the shared secret. If the image 134 on the display 104 is generated in accordance with the shared secret, the server 110 is authenticated. To authenticate the user of the computer 102, the user modifies the image 134 on the display 104 in accordance with the shared modification secret. For example, the user can draw a rectangle 136 around the image 134 as illustrated in FIG. 1. Other examples are provided below. The user-modified image is transmitted back to the server 110 where the server determines if the image modification has been made in accordance with the shared modification secret known to the user. If the image has been modified in accordance with the shared modification secret, the user is also now authenticated.

In an alternative embodiment, the mobile communication device 130 is used to authenticate the server 110 and the user of the computer 102. To authenticate the server 110, the user snaps a picture of the image on the display 104 using an imaging capability in the mobile communication device 130, such as a camera. The image captured by the mobile communication device 130 is evaluated to determine if it contains the shared secret. If the image contains the shared secret, the server 110 is authenticated because only the server 110 and the mobile communication device 130 have knowledge of the shared secret. The user of the computer 102 and the mobile communication device 130 may be authenticated when the user modifies the image on the display at the mobile communication device 130 and transmits the modified image back to the server 110 via the PLMN 120. In turn, the server 110 analyzes the modified image to determine if it has been modified in accordance with the shared modification secret. If the image transmitted from the mobile communication device 130 has been modified in accordance with the shared modification secret, the user of the computer 102 and mobile communication device 130 can be authenticated.

In addition, the server 110 has stored information relating the identity of the mobile communication device 130 to a particular user. When the image on the display 104 is captured by the mobile communication device 130 and modified in accordance with the shared modification secret, the captured and modified image transmitted from the mobile communication device 130 to the server 110 via the PLMN 120 also contains information identifying the mobile communication device. The server 110 may compare the information identifying the mobile communication device to determine that it is associated with the user of the computer 102. This provides further authentication of the user in that the user of the computer 102 is associated with the identity of the mobile communication device 130. This means that the user present at the computer 102 must also have possession of the mobile communication device 130 at the time the image 134 is shown on the display 104. Furthermore, only the authenticated user would know the portion of the shared modification secret that will permit modification of the image on the display 104 that was captured by the mobile communication device 130.

In yet another alternative embodiment, the image on the display 104 may be modified by the user operating the computer 102 such that the image on the display 104 is modified in accordance with the shared modification secret. In this embodiment, the mobile communication device 130 captures the modified image from the display 104 and transmits the captured modified image to the server 110 via the PLMN 120 in the manner described above. In either embodiment, the server 110 receives a modified image (modified by the computer 102 or the mobile communication device 130) and analyzes the modified image to determine if it has been modified in accordance with the shared modification secret.

FIG. 2 is a functional block diagram of the server 110. The server 110 includes a central processing unit (CPU) 140 and a memory 142. In general, the memory 142 contains data and instructions that are executed by the CPU 140. The CPU 140 may be implemented as a conventional microprocessor, microcontroller, digital signal processor, application specific integrated circuit, or the like. The server 110 is not limited by the specific implementation of the CPU 140.

Similarly, the memory 142 may be implemented with a variety of known technologies. The memory 142 may include random access memory, read-only memory, programmable memory, and the like. In one embodiment, a portion of the memory 142 may be integrated into the CPU 140. The server 110 is not limited by the specific form of the memory 142. The shared secret is stored in the memory 142 in association with the individual user. The shared secret may be stored in a protected form, such as encrypted data, secure location, or the like.

FIG. 2 also illustrates a network interface controller (NIC) 144. The NIC 144 generically represents the interface between the server 110 and the network 106. The specific implementation of the NIC 144 depends on the particular interface type and is within the scope of knowledge of one of ordinary skill in the art. For example, the NIC 144 may be an Ethernet interface coupled to a network access point (not shown). Alternatively, the NIC 144 may be a wireless interface or other known form of interface depending on the nature of the communication link 112 between the server 110 and the network 106. The server 110 is not limited by the specific implementation of the NIC 144.

The server 110 also includes an image processor 146 and an image storage area 148. As will be described in greater detail below, the image processor 146 may be used in one embodiment to generate images in accordance with the shared secret. If the image processor 146 generates the image for transmission to the computer 102, a copy of the image is temporarily stored in the image storage area 148 for later comparison with a captured image. As described above, the user captures the image on the display 104 with the mobile communication device 130 and analyzes it to verify that the image on the display 104 contains the shared secret known only to the authentic server 110 and to the authentic computer and/or the mobile communication device 130. If the image contains the shared secret, the server 110 is authenticated by the computer 102 and/or the mobile communication device 130 that determines that the image on the display 104 was generated in accordance with the shared secret.

If the computer 102 is a public computer (e.g., in a library or hotel lobby), it will not be aware of the shared secret. In this embodiment, the shared secret is known by the mobile communication device 130. The computer 102 receives and displays the image on the display 104, but cannot analyze the image because it does not know the shared secret. The mobile communication device 130 captures the image on the display 104 and performs the analysis to determine if the captured image was generated in accordance with the shared secret to thereby authenticate the server 110. The user operates the mobile communication device 130 to modify the captured image in accordance with the shared modification secret. The mobile communication device 130 transmits the captured and modified image, via the PLMN 120 and the network 106, to the authentication server 110. The image processor 146 analyzes the modified image to determine if it was modified in accordance with the shared modification secret. If the image was modified in accordance with the shared modification secret, the user is thereby authenticated.

FIG. 2 also illustrates a clock 150. As will be described in greater detail below, the image processor 146 can use the clock 150 to generate a time of day or date stamp when generating an image or when selecting an image from the image storage area 148. The date stamp can be used to make sure that the image is current. That is, the image is only valid for a predetermined period of time. In this embodiment, the modified image must be returned to the server 110 within a predetermined period of time.

The various components of FIG. 2 are coupled together by a bus system 152. The bus system 152 may comprise an address bus, data bus, control bus, power bus, and the like. For the sake of clarity, those various buses are illustrated in FIG. 2 as the bus system 152.

Those skilled in the art will appreciate that some of the functional blocks in FIG. 2 may be implemented as a set of instructions stored in the memory 142 and executed by the CPU 140. For example, the image processor 146 can be implemented as a separate device (e.g., a digital signal processor) or implemented as a set of instructions stored in the memory 142. Because the image processor 146 performs a separate function, it is illustrated as a separate block in the functional block diagram of FIG. 2.

Similarly, the image storage area 148 may be implemented as a separate storage component or integrated into the memory 142. The image storage area 148 may be implemented as any suitable data structure. In one embodiment, the image storage area 148 may be implemented as a database that may be an integral part of the server 110 or implemented as a separate component coupled to the authentication processor 110. For example, the image storage area 148 may be coupled to the server 110 via a local area network (LAN). In a distributed computer network, the image storage area 148 may be coupled to the network 106 and in communication with the server 110 via the network 106.

The mobile communication device 130 performs a number of functions. First, it takes a picture of an image displayed on the display 104 of the computer 102. Secondly, it analyzes the captured image to determine whether the image is constructed in accordance with the shared secret. Details of the shared secret analysis and examples are provided below. If the image is constructed in accordance with the shared secret, the server 110 is authenticated. In that event, the mobile communication device 130 accepts user input to modify the image. The mobile communication device 130 provides a file name for the modified image. In an exemplary embodiment, the file name of the image may include the IMSI of the mobile communication device 130 and a time stamp indicating the time at which the image was captured or modified. In addition, the mobile communication device 130 sends the modified image to a predefined address. The mobile communication device 130 executes a simple application program that allows the capture and analysis of an image, the modification of the captured image, and the automatic transfer of the modified image, via the PLMN 120, to a URL associated with the server 110. It should be noted that the image generated in accordance with the shared secret does not contain any embedded data that requires extraction and analysis by the mobile communication device 130. The shared secrets are intended to provide simple image analysis that may be readily performed by the client computer 102 or the mobile communication device 130. Examples of images constructed in accordance with the shared secret are provided below.

FIG. 3 is a functional block diagram of the mobile communication device 130. The mobile communication device 130 includes a CPU 160 and memory 162. In general, the memory 162 contains data and instructions that are executed by the CPU 160. The CPU 160 may be implemented as a conventional microprocessor, microcontroller, digital signal processor, application specific integrated circuit, or the like. The mobile communication device 130 is not limited by the specific implementation of the CPU 160.

Similarly, the memory 162 may be implemented with a variety of known technologies. The memory 162 may include random access memory, read-only memory, programmable memory, and the like. In one embodiment, a portion of the memory 162 may be integrated into the CPU 160. The mobile communication device 130 is not limited by the specific form of the memory 162. The memory 162 is also used to store the shared secret. As will be described in greater detail below, the shared secret is known only to the authentic server 110 and to the authentic client computer 102 and/or the authentic mobile communication device 130. In this embodiment, the mobile communication device 130 captures the image on the display 104 (see FIG. 1) of the computer 102 and analyzes the captured image using the shared secret stored in the memory 162.

FIG. 3 also illustrates a network transmitter 164 and a network receiver 166. In many implementations, the transmitter 164 and receiver 166 share common circuitry and are implemented as a transceiver 168. The transceiver 168 is coupled to an antenna 170. The transceiver 168 is illustrated in FIG. 3 as a generic device. Those skilled in the art will appreciate that the specific implementation of the transceiver 168 may depend on the particular PLMN 120 with which the mobile communication device 130 communicates. For example, the transceiver 168 in one mobile communication device 130 may be configured for operation in accordance with GSM standards while the transceiver 168 in a different mobile communication device may be configured for operation in accordance with CDMA or other communication protocols. However, as noted above, the system 100 may be readily implemented on mobile networks using various communication protocols and is not limited to any particular communication protocol.

In addition, the mobile communication device 130 includes a display 172 and keypad 174. The display 172 may be a black and white or color display and, in some embodiments, may be a touch-sensitive display. In this embodiment, the functionality of the keypad 174 may be combined with the display 172. These input/output devices operate in a conventional manner. In operation, the user manipulates the keypad 174 or, as is common in many modern mobile communication devices, uses a touch-sensitive display 172 to modify the captured image shown on the display. Examples of image modification will be described in detail below.

FIG. 3 also illustrates an imaging device 176. The imaging device 176 may include a charge-coupled device and a lens (not shown), as is common in many wireless devices. Technical details of the imaging device 176 to capture an image are well known in the art, and need not be described in greater detail herein.

An image analyzer 178 uses the shared secret stored in the memory 162 to analyze the captured image to determine whether the captured image contains the shared secret. In operation, the image analyzer 178 may typically be implemented as a set of instructions stored in the memory 162 and executed by the CPU 160. Those skilled in the art will appreciate that the image analysis can be readily implemented by the mobile communication device 130 without extensive signal processing or excessive computations.

The various components in FIG. 3 are coupled together by a bus system 180. The bus system 180 may include an address bus, data bus, control bus, power bus, and the like. For the sake of clarity, those various buses are illustrated in FIG. 3 as the bus system 180.

FIG. 4 is a flow chart illustrating an exemplary embodiment of a process to establish a shared secret. At a start 200, there is the server 110 and the mobile communication device 130. In step 202, the mobile communication device 130 and authentication server 110 establish a secure connection. The secure connection can be established using a variety of known techniques. In one example, the mobile communication device 130 may have web browsing capability. In this embodiment, the mobile communication device 130 can establish a secure connection (e.g., https) with the server 110 via the network 106. In another example, the mobile communication device 130 may be physically connected to the server 110 either directly or through another computer coupled to the server. In this embodiment, there is a secure hard wired connection between the mobile communication device 130 and the server 110. In yet another embodiment, the secure connection can be established between the server 110 and another authenticated computer, such as the authenticated client computer 102 (not available if the computer 102 is a public computer) and the shared secret downloaded to a memory device, such as a flash drive. Subsequently, the flash drive can be connected to the authenticated computer to which the mobile communication device 130 can be connected. The shared secret is thus side-loaded from the memory device to the mobile communication device 130. These are just a few examples of the number of different known techniques that can be used to establish the secure connection.

In step 204, the server 110 shares a secret with the wireless communication device 130. Those skilled in the art can appreciate that either element (i.e., the mobile communication device 130 or the server 110) may initially generate the secret. As will be discussed in greater detail below, the secret will be related to an image such that analysis of the image will be relatively simple. The image need not be created at the time that the secret is shared, but must be generated in accordance with the shared secret. Furthermore, it is important to note that the image itself is not provided to the computer 102 or the mobile communication device 130 in advance of a log-in process and need not be known to the user at all. That is, the user may not be aware of all aspects of the shared secret used to generate the image. However, the user must be aware of the shared modification secret that will allow the user to modify the image transmitted by the server 110.

Some conventional systems allow a user to select a single image during an initial set-up process. Anytime a user logs onto that web site, the user-selected image is displayed as a simple form of server authentication. However, this is not based on a shared secret contained within the image, as is described herein.

In step 206, the mobile communication device 130 and the server 110 store the shared secret in a secure location within the respective devices and the process ends at 208. At this point, at least one portion of the shared secret is known only to the mobile communication device 130 and the server 110. The portion of the shared secret known to the mobile communication device 130 is that the image generated by the server 110 and transmitted to the computer 102 (see FIG. 1) will be generated in accordance with the shared secret if the server 110 is the authentic server. However, the mobile communication device 130 need not be aware of the nature of the modification of the image to be generated by the user. This provides an even greater level of security. If the mobile communication device 130 is lost or stolen, an unauthorized individual who may find the mobile communication device cannot be authenticated because they do not know the manner in which the captured image must be modified. In contrast, the server 110 is aware of the user modification that must be made to the image. The various system elements are authenticated because the mobile communication device 130 can analyze the image from the server 110 to determine if it was generated in accordance with the shared secret thereby authenticating the server 110. In turn, the user must modify the generated image in accordance with the shared modification secret known only to the authentic server 110 and the authentic user. The modified image is transmitted back to the server 110 to thereby complete the authentication process. Because the secret was initially shared during a secure connection, the mobile communication device 130 has confidence in the authenticity of the server 110.

At a later point in time, the computer 102 wishes to establish a connection with the server 110 via, by way of example, the network 106, as illustrated in FIG. 1. It is at this stage that the user of the computer 102 wishes to authenticate the server 110. This process is illustrated in FIG. 5 where, at a start 220, the computer 102 and server 110 are each connected to the network 106 via their respective communication links 108 and 112. At step 222, the computer 102 generates a request to establish a communication link. This process may be initiated, for example, by the computer 102 navigating to a website associated with the server 110.

In step 224, the server 110 generates an image using the shared secret known only to the authentic server 110 and the authentic mobile communication device 130. In one embodiment, the server 110 dynamically generates the image using the shared secret after the computer 102 requests access to the server 110. However, those skilled in the art will appreciate that the server 110 may also generate the image using the shared secret in advance of any request for access by the computer 102. The generated image may be stored in association with identity data for the authentic computer 102 or a specific user, in association with a user name (e.g., user ID) and password. Thus, step 224 may be executed in advance of the request for a communication link in step 222 with the generated image being stored for future use.

In step 226, the server 110 transmits the image to the computer 102 via the network 106 and the communication links 112 and 108. Examples of images generated using the shared secret are described below.

In step 228, the user captures the image 134 on the display 104 (see FIG. 1) using the imaging device 176 on the mobile communication device 130 (see FIG. 3). In step 230, the image analyzer 178 within the mobile communication device 130 analyses the image to determine if it contains an element in accordance with the shared secret.

In decision 232, the mobile communication device 130 determines whether the image contains the shared secret. If the captured image does not contain the shared secret, the result of decision 232 is NO and, in step 234, the server 110 is not authenticated. If the server 110 is not authenticated, the mobile communication device 130 will not permit the modification of the captured image and will not transmit the captured image back to the server 110. In addition, the mobile communication device 130 may display a message on the display 172 indicating that the server 110 is not authenticated. The user may thus discontinue communication between the computer 102 and the unauthenticated server and the authentication process ends at 248.

If the captured image does contain the shared secret, the result of decision 232 is YES and in step 236, the server 110 is authenticated. In step 238, the user operates the keypad 174 (see FIG. 3) or the touch-sensitive display 172 to modify the image in accordance with the shared modification secret known only to the authentic user and the authentic server 110. In step 240, the mobile communication device 130 transmits the modified image back to the authentic server 110 via the PLMN 120 as described above.

The server 110 analyzes the modified image in decision 242 to determine if the image has been modified correctly. If the image has not been modified correctly, the result of decision 242 is NO and, in step 244, the user is not authenticated. If the user is not authenticated, the server will terminate communications with the computer 102 (see FIG. 1).

If the image has been modified correctly, the results of decision 242 is YES and, in step 246, the user is authenticated by the server 110. Following the user authentication in step 246, or the failure to authenticate the server in step 234 or the failure to authenticate the user in step 244, the process ends at 248. Thus, the system 100 provides a technique for authenticating various system elements as well as the user in the examples described herein, the system authenticates the server 110, the computer 102, and the individual user operating the computer 102 and the mobile communication device 130.

FIGS. 6-12 provide non-limiting examples of the type of images that can be created using the shared secret. It is intended that the authentication process is based on elements within the image itself rather than some form of data encrypted or embedded within the image. Thus the images generated using the shared secret may be readily analyzed by the mobile communication device 130 to authenticate the server 110. For example, FIGS. 6A and 7A illustrate images where there is a geometric relationship between objects in the image. FIG. 6A illustrates a seemingly random collection of geometric shapes, such as squares, triangles, rectangles, circles, at the like. However, the shared secret in the example of FIG. 6 is that the image must allow the formation of a square 250 by connecting the vertices of four triangles 252. The precise location of the triangles 252 within the image is not critical. Rather, it is the spatial relationship between the triangles 252 that permits the square 250 to be formed by connecting lines between the vertices of the triangles. Without knowledge of this shared secret, the server 110 cannot generate an image having the appropriate geometric relationship. Furthermore, the mobile communication device 130 cannot analyze the image of FIG. 6A without knowledge of the shared secret. Thus, each of the system elements (e.g., the mobile communication device 130 and the server 110) must have knowledge of the shared secret. If either of these system elements is not the authentic system element, it will not contain the knowledge of the shared secret and cannot provide the proper authentication. In addition, the image of FIG. 6A looks like a random arrangement of objects unless one knows the shared secret.

As noted above, the user does not need to be aware of the shared secret shared between the server 110 and the mobile communication device 130. The mobile communication device 130 can capture the image on the display 104 and perform the analysis described above. The user may be aware of the secret shared between the server 110 and the mobile communication device 130. However, the user must be aware of the shared modification secret that dictates the modifications to the captured image that will be made by the user. As illustrated in FIG. 6B, the shared modification secret is that the user will draw a rectangle 253 around four triangles (e.g., the triangles 252) in the captured image. The rectangle 253 can simply be a line around the triangles 252, and the area within the rectangle 253 may be transparent or opaque. The mobile communication device 130 transmits the modified image of FIG. 6B to the server 110 via the PLMN 120 as described above. The server 110 is aware of the shared secret used to generate the image of FIG. 6A and is also aware of the shared modification secret shared that guides the modification of the image, as shown in FIG. 6B. The server 110 will analyze the received image of FIG. 6B to determine whether the image contains the shared modification secret. If the image is modified in accordance with the shared modification secret, the user is thereby authenticated. Other types of shared secrets, such as a circle around the triangles 252, or a circle around a square, or other similar simple modification may also be used as the shared modification secret.

FIG. 7A can be a picture of a real house or a graphically generated house. Again, without knowledge of the shared secret, the image in FIG. 7A appears to be a normal house. However, the shared secret is that the tops of the windows 254 are all aligned. Thus, it is not merely the presence of the house in the image of FIG. 7A that authenticates the server 110, but that the geometric relationship of the windows 254 is such that the tops of the windows are in alignment. Without knowledge of this shared secret, the server 110 cannot generate the appropriate image and the mobile communication device 130 cannot analyze the image in accordance with the shared secret. Conventional authentication systems may simply send the picture of a house that is known to the user. In contrast, the object in FIG. 7A is not merely identified by the user as a known object, but must contain the shared secret element (e.g., the tops of the windows 254 in alignment). Furthermore, the image of the house may change from one authentication process to the next such that the image in FIG. 7A is not a static image that is always presented to the user upon log-in. In an exemplary embodiment, the user of the mobile communication device 130 need not even know the shared secret used to generate the image of FIG. 7A.

However, the user must be aware of the shared modification secret used to modify the image of FIG. 7A. For example, the shared modification secret could be that the user must place an “X” in each of the windows 254 to generate the image illustrated in FIG. 7B. As noted above, the user need not know that the shared secret shared between the server 110 and the mobile communication device 130 is that the windows 254 are in alignment at the top. The user simply knows that he must place an “X” in each of the windows. Thus, the image of FIG. 7B is transmitted by the mobile communication device 130 to the server 110 via the PLMN 120 in the manner described above. The server 110 analyzes the modified image to determine if it has been modified in accordance with the shared modification secret. If the image has been appropriately modified, the user may thus be authenticated by the server 110.

In another example embodiment, there is a mathematical relationship between objects in an image. For example, FIG. 8A is similar to FIG. 6A in that it illustrates a number of geometric shapes in what appears to be a random arrangement including a square 256 and a triangle 258. However, in the example of FIG. 8A, the shared secret is that the square 256 and triangle 258 are separated by a distance 260 that is 2.5 times the height of the square 256. The absolute location of the square 256 and triangle 258 within the image is not critical. Similarly, the distance 260 between the square 256 and the triangle 258 can vary from one image to another. What is critical is that the distance separating these two objects has a precise mathematical relationship with the height of the square 256. Thus, the image in FIG. 8A can look different each time it is generated at a log-in request so long as the shared secret mathematical relationship between objects is maintained.

In the examples of FIGS. 6B and 7B, the modification involved these elements that were part of the shared secret shared between the server 110 and the mobile communication device 130. For example, in FIG. 6B, the user must draw the rectangle 253 around the triangles 252 that were used to form the square 250. However, the shared modification secret need not be related to the elements that were part of the shared secret shared between the server 110 and the mobile communication device 130. For example, in FIG. 8B, the shared modification secret is that the user must place a “+” sign 261 in a circle (e.g., the circle 263 in FIG. 8B). Although FIGS. 8A-8B contain only one circle, it is possible that the image might contain multiple circles and the user can put a “+” sign in any of the circles, in all circles, in the smallest circle, in the largest circle, or the like. Those skilled in the art will appreciate that a number of variations (e.g., draw a triangle or a square around the circle 263) may be utilized as the shared modification secret. As discussed with other modified images, the mobile communication device 130 transmits the modified image of FIG. 8B to the server 110 via the PLMN 120, as described above. The server 110 analyzes the modified image of FIG. 8B to determine if it has been modified in accordance with the shared modification secret. The user is authenticated if, and only if, the image has been modified in accordance with the shared modification secret.

FIG. 9A illustrates another example of the mathematical relationship between objects within the image. FIG. 9A is similar to FIG. 7A in that it can be a picture of a real house or a computer-generated image of a house. In the example of FIG. 7A, the shared secret was that the tops of the windows 254 are in alignment. In FIG. 9A, the shared secret is that the windows 254 are separated by a distance 262 that is one-half the width of the right-most window. Thus, the shared secret may contain a mathematical relationship between objects in the image that are only known if the mobile communication device 130 and server 110 both know the shared secret.

In the example of FIG. 9A, the shared modification secret may be that the user must draw an “X” 262 in the largest window to thereby generate the modified image of FIG. 9B. Alternatively, the shared secret may be that the user places an “X” in the left most window, which would result in the same modified image of FIG. 9B. Those skilled in the art will appreciate that a number of other shared modification secrets may also be utilized. For example, in one embodiment, the user must draw a circle around smoke anywhere in the image. In the image of FIG. 9A, the smoke emanates from the chimney of the house. Thus, the user would draw a circle around the smoke coming from the chimney. In a different embodiment, the image could be that of a camp scene with smoke emanating from a campfire. Without any knowledge of the shared secret shared between the server 110 and the mobile communication device 130, the user would simply know that they must circle smoke in the image. Other simple modifications, such as an “X” on the door, a circle around the two windows on the right, or other modifications may also be readily employed by the system 100. As with other images, the captured image of FIG. 9B is transmitted by the mobile communication device 130 to the server 110 via the PLMN 120. The server 110 analyzes the modified image to determine if it has been modified in accordance with the shared modification secret. If the image has been modified in accordance with the shared modification secret, the user may be authenticated.

In yet another example, the shared secret may be that the picture contains a predetermined number of objects or certain types of objects within the picture. For example, the image of the house in FIGS. 7A and 9A contain different shared secrets in images that are quite similar. In yet another example of a shared secret, the image of FIG. 7A must contain exactly four windows 254 and one door. Thus, the same image (e.g., FIG. 7A) may be used with different shared secrets.

Similarly, the same image (e.g., FIG. 7B) may be used with a number of different shared modification secrets. For example, the user can place the “X” 255 in each of the windows 254, as illustrated in FIG. 7B. Alternatively, the shared modification secret may be to place the “X” 255 only in the windows 254 to the right of the door, to the left of the door, to the closest windows on each side of the door, or the like. Furthermore, as discussed above, the shared modification secret may be unrelated to the elements of the shared secret shared between the server 110 and the mobile communication device 130. For example, the shared modification secret may be to circle smoke in the image, to place a triangle around the smoke in the image, or the like. Those skilled in the art will appreciate that a number of different variations of the shared modification secret may be used for any given image.

In another example, the image in FIG. 10A appears similar to the images in FIGS. 6A and 8A and contains a number of different geometric shapes (e.g., circles, triangles, etc.). The shared secret in FIG. 10A is that the image must contain exactly three triangles 264-268. In yet another variation, the shared secret may be that FIG. 10 must contain the three triangles 264-268, but that two of the triangles must be equilateral triangles (e.g., the triangles 264-266), while the third triangle must be a right triangle (e.g., the triangle 268). Thus, the shared secret may be the number of objects (e.g., the number of triangles) and/or type of objects (two equilateral triangles and one right triangle).

The shared modification secret can include a variety of possible modifications. One possible modification is to draw a circle 267 around the largest triangle (e.g., the triangle 266) as shown in FIG. 10B. Alternatively, the shared modification secret may be to draw a circle around one equilateral triangle (e.g., either the triangle 264 or the triangle 266). Other shapes, such as a square around the triangle 266 or a circle around a circle, a square around a circle, or the like may be used as the shared secret image shown in FIG. 10B. As discussed above, the mobile communication device 130 transmits the modified image of FIG. 10B to the server 110 via the PLMN 120. The server 110 determines whether the image has been modified in accordance with the shared modification secret. If the image has been modified in accordance with the shared modification secret, the user is thereby authenticated.

FIG. 11A illustrates yet another example of geometric shapes constructed in accordance with a shared secret. In the example of FIG. 11A, the different geometric shapes must each have a different color with the exception of two triangles 270, which must be blue. In this example, it is not the specific shape of the triangles (e.g., equilateral or right triangles), but the number of triangles (e.g., two triangles) and the color of the triangles (e.g., blue).

In turn, there may be a number of shared modification secrets. For example, the shared modification secret may be that the user must draw a circle around each triangle, or a circle 272 around the smallest triangle (e.g., the small triangle 270) and a square 274 around the largest triangle (e.g., the large triangle 270), as illustrated in FIG. 11B. Alternatively, the shared modification secret may require the user to place an “X” through the red object in the image. Alternatively, the user must draw a line between the two green images or the two squares, or the like in the image. Thus, those skilled in the art will appreciate that a number of different shared modification secrets may be used with the same image.

In yet another example, the shared secret shared between the server 110 and the mobile communication device 130 may be that the image always contains someone named “George,” such as illustrated in FIG. 12A where the picture of Mount Rushmore contains an image of George Washington. In turn, the shared modification secret may be that the user must draw a mustache on anyone named “George” in the image, to generate the modified image of FIG. 12B. In examples where an image contains multiple persons named “George,” the user can modify the image to place a mustache on each person named “George” in the image. Other variations, such as placing a mustache on the image of the person named “George” on the left side of the image may also be used.

FIGS. 6A-12A illustrate individual examples of shared secrets contained within images. However, those skilled in the art will appreciate that the shared secret may be combinations of objects described above or multiple shared secrets. For example, the image of FIG. 7A may be a combination of shared secrets such as the precise number of windows 254 and doors, the alignment of windows, and the color of the house. Furthermore, the spacing between the windows 254 in FIG. 7A may be yet another shared secret.

Those skilled in the art can appreciate that the analysis of the images to determine whether the shared secret is present is relatively straight forward so long as the mobile communication device 130 and server 110 know the shared secret. The mobile communication device 130 can quickly analyze any of the images illustrated in the examples of FIGS. 6A-12A to determine whether the image contains the shared secret. Since only the authentic mobile communication device 130 and the authentic server 110 know the shared secret, only those two devices can perform the process described above. If the server 110 is not the authentic server, it cannot generate an image in accordance with the shared secret. The mobile communication device 130 can quickly discern that the image does not contain the shared secret such that the server would not be authenticated in step 234 of FIG. 5. Thus, the mobile communication device 130 can readily authenticate the server 110 on the basis of the shared secret.

Similarly, the server 110 can readily determine whether the image has been modified in accordance with the shared modification secret. Thus, the system described herein can be used to authenticate both the server 110 by analysis of the shared secret shared between the server 110 and the mobile communication device 130 and also authenticate the user by virtue of the shared modification secret.

Those skilled in the art will appreciate that the process described above is particularly valuable when the computer 102 is a public computer whose authenticity cannot be readily verified. However, if the client computer 102 is a private computer that can be authenticated to the server 110, the image analysis described above can be performed by the computer 102 itself rather than the mobile communication device 130. In this alternative embodiment, it is not necessary to capture the image on the display 104 using the imaging device 176 in the mobile communication device 130. Rather, the image analyzer 178 illustrated in FIG. 3 can be implemented within the computer 102 to perform the same form of image analysis to thereby determine whether the image is constructed in accordance with the shared secret. In this embodiment, the shared secret is stored directly in the computer 102. Furthermore, in this embodiment, the user can modify the image directly on the computer 102. The various modifications illustrated in FIGS. 6B-12B can be easily performed on the computer 102 using readily available software programs. In this embodiment, the modified image can be sent directly from the computer 102 to the server 110 via the network 106. Alternatively, the modified image on the display 104 can be captured by the mobile communication device 130 and transmitted back to the server 110 via the PLMN 120 as described above.

The shared secrets may be changed by both the mobile communication device 130 and the server 110 periodically or based on a network update mechanism or physical update mechanism to the mobile communication device 130 or the server 110.

As described above, the system 100 provides for the authentication of the server 110 by the end-user and provides a system for authentication of the end-user by the server via the user modification of an image in accordance with a shared modification secret. However, the computer 102 can also provide some of the functionality described above with respect to the server 110. In this embodiment, the computer 102 is a private computer (e.g., an individual's personal computer) and has knowledge of the shared modification secret. In a situation where the computer 102 is not connected to the network 106 (i.e., the computer 102 is operating offline), the computer can generate or display the image 134 on the display 104. In this embodiment, both the computer 102 and the user are aware of the shared modification secret. The user modifies the image 134 in accordance with the shared modification secret, such as drawing the rectangle 136 around the image and the computer 102 verifies that the image 134 was modified in accordance with the shared modification secret. The user is authenticated if the image is modified in accordance with the shared modification secret. Thus, the computer 102 provides the services or functionality of the server 110 to authenticate the user.

The foregoing described embodiments depict different components contained within, or connected with, different other components. It is to be understood that such depicted architectures are merely exemplary, and that in fact many other architectures can be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality can be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermedial components. Likewise, any two components so associated can also be viewed as being “operably connected”, or “operably coupled”, to each other to achieve the desired functionality.

While particular embodiments of the present invention have been shown and described, it will be obvious to those skilled in the art that, based upon the teachings herein, changes and modifications may be made without departing from this invention and its broader aspects and, therefore, the appended claims are to encompass within their scope all such changes and modifications as are within the true spirit and scope of this invention. Furthermore, it is to be understood that the invention is solely defined by the appended claims. It will be understood by those within the art that, in general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as “open” terms (e.g., the term “including” should be interpreted as “including but not limited to,” the term “having” should be interpreted as “having at least,” the term “includes” should be interpreted as “includes but is not limited to,” etc.). It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation no such intent is present. For example, as an aid to understanding, the following appended claims may contain usage of the introductory phrases “at least one” and “one or more” to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles “a” or “an” limits any particular claim containing such introduced claim recitation to inventions containing only one such recitation, even when the same claim includes the introductory phrases “one or more” or “at least one” and indefinite articles such as “a” or “an” (e.g., “a” and/or “an” should typically be interpreted to mean “at least one” or “one or more”); the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should typically be interpreted to mean at least the recited number (e.g., the bare recitation of “two recitations,” without other modifiers, typically means at least two recitations, or two or more recitations).

Accordingly, the invention is not limited except as by the appended claims. 

The invention claimed is:
 1. A system for user authentication comprising: a client computer having a processor and a memory; an image generator configured to generate an image; a display associated with the client computer and configured to display the generated image; a user-operable input device configured to accept user input to draw on top of the displayed image and thereby modify the displayed image whereby the image is visibly modified by the user; and an image analyzer configured to receive and analyze the modified image to determine if the modified image is modified in accordance with a shared modification secret, the shared modification secret being indicative of the manner in which the image should be modified, with the shared modification secret being known only by an authentic user and the image analyzer wherein the user of the client computer is authenticated if the image analyzer determines that the modified image is modified in accordance with the shared modification secret.
 2. The system of claim 1 wherein the image generator and the image analyzer are associated with the client computer and the shared modification secret is shared between the client computer and a user of the client computer.
 3. The system of claim 1, further comprising a server computer communicatively coupled to the client computer via a network wherein the image generator and the image analyzer are associated with the server computer and the shared modification secret is shared between the server computer and a user of the client computer.
 4. The system of claim 3 wherein the image generator is further configured to generate the image containing image elements in accordance with a secret shared between the client computer and a server computer, the system further comprising an image analyzer associated with the client computer and configured to analyze the generated image received from the server computer to determine if the received image contains the elements in accordance with the shared secret wherein the server computer is authenticated if the image analyzer determines that the received image contains elements in accordance with the shared secret.
 5. The system of claim 4 wherein the secret shared between the client computer and the server computer is a required element of a certain type in the generated image, and the modification secret is the generation of a border around the element of the certain type.
 6. The system of claim 4 wherein the user-operable input device is associated with the client computer to modify the received image on the client computer, the system further comprising: a wireless communication device associated with the user and having an imaging device configured to capture the image on the display, wherein the modified image received by the image analyzer associated with the server computer is the image modified on the client computer and captured by the imaging device on the wireless communication device.
 7. The system of claim 3 wherein the image generator is further configured to generate the image containing image elements in accordance with a secret shared between the server computer and a wireless communication device associated with the user, the system further comprising an imaging device associated with the wireless communication device and configured to capture the image on the display; and an image analyzer associated with the wireless communication device and configured to analyze the generated image captured by the imaging device to determine if the captured image contains the elements in accordance with the shared secret wherein the server computer is authenticated if the image analyzer determines that the captured image contains elements in accordance with the shared secret.
 8. The system of claim 7 wherein the secret shared between the server computer and the wireless communication device is a required element of a certain type in the generated image, and the modification secret is the generation of a border around the element of the certain type.
 9. The system of claim 7 wherein the user-operable input device is associated with the wireless communication device to modify the captured image wherein the modified image received by the image analyzer associated with the server computer is the image modified on the wireless communication device.
 10. The system of claim 7 wherein the user-operable input device is associated with the client computer to modify the received image on the client computer wherein the modified image received by the image analyzer associated with the server computer is the image modified on the client computer and captured by the imaging device associated with the wireless communication device.
 11. The system of claim 3, further comprising: a wireless communication device having an imaging device associated therewith, the imaging device being configured to capture the image on the display wherein the user-operable input device is a wireless communication device input device configured to modify the captured image and the image analyzer associated with the server computer is configured to analyze the modified image modified on the wireless communication device.
 12. The system of claim 11 wherein the wireless communication device is further configured to transmit the modified image to the server computer via a public land mobile network.
 13. The system of claim 1 wherein the shared modification secret does not identify the image itself, but only has information related to the modification of the image.
 14. The system of claim 1 wherein the shared modification secret is the generation of a border around an element of a certain type.
 15. The system of claim 1 wherein the shared secret modification is the generation of a border having a predetermined shape around an element of a certain type.
 16. The system of claim 1 wherein the shared modification secret is the generation of a border around a plurality of elements of a certain type.
 17. The system of claim 1 wherein the shared modification secret is the modification of an element of a certain type.
 18. The system of claim 1 wherein the shared modification secret is the modification of each of a plurality of elements of a certain type.
 19. The system of claim 18 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a substantially similar manner.
 20. The system of claim 18 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a different manner.
 21. A system for authentication of a computer user comprising: a client computer configured to communicate with a server computer; a network interface configured to communicate with the server computer via a network and to receive an image therefrom in response to an authentication request from the client computer; a display configured to display the received image; and a user-operable input device configured to sense user operation thereof to permit the user to draw on top of the displayed image and thereby visibly modify the received image in accordance with a shared modification secret shared between an authenticated server computer and an authenticated user, the shared modification secret being indicative of the manner in which the image should be modified by the user operating the input device, the modified image being transmitted back to the server computer to thereby authenticate the computer user.
 22. The system of claim 21 wherein the server computer is unauthenticated; the system further comprising: an image processor associated with the client computer and configured to analyze the received image to determine if the received image contains an element in accordance with a shared secret shared between an authenticated server computer and the client computer, wherein the unauthenticated server computer is authenticated if the image processor determines that the received image contains the element in accordance with the shared secret and designating the server computer as unauthenticated if the received image does not contain the element in accordance with the shared secret.
 23. The system of claim 21 wherein the shared modification secret does not identify the image itself, but only has information related to the modification of the image.
 24. The system of claim 21 wherein the user-operable input device is associated with the client computer, the network interface being further configured to transmit the modified image from the client computer to the server computer via the network.
 25. The system of claim 24, further comprising: a wireless communication device having an imaging device associated therewith, the imaging device being configured to capture the modified image on the display and to transmit the modified image to the server computer via a public land mobile network to thereby authenticate the user and the client computer.
 26. The system of claim 21, further comprising: a wireless communication device having an imaging device associated therewith, the imaging device being configured to capture the image on the display wherein the user-operable input device is associated with the wireless communication device, the wireless communication device being further configured to transmit the modified image to the server computer via a public land mobile network to thereby authenticate the user and the client computer.
 27. The system of claim 21 wherein the server computer is unauthenticated; the system further comprising: a wireless communication device having an imaging device associated therewith, the imaging device being configured to capture the image on the display; and an image processor associated with the wireless communication device and configured to analyze the captured image to determine if the captured image contains an element in accordance with a shared secret shared between an authenticated server computer and the wireless communication device, wherein the unauthenticated server computer is authenticated if the image processor determines that the captured image contains the element in accordance with the shared secret and designating the server computer as unauthenticated if the captured image does not contain the element in accordance with the shared secret.
 28. The system of claim 27 wherein the user-operable input device is associated with the wireless communication device, the wireless communication device being further configured to transmit the modified image to the server computer via a public land mobile network to thereby authenticate the user and the client computer.
 29. The system of claim 21 wherein the shared modification secret is the generation of a border around an element of a certain type in the received image.
 30. The system of claim 21 wherein the shared modification secret is the generation of a border having a predetermined shape around an element of a certain type in the received image.
 31. The system of claim 21 wherein the shared modification secret is a modification of an element of a certain type in the received image.
 32. The system of claim 21 wherein the shared modification secret is a modification of each of a plurality of elements of a certain type in the received image.
 33. The system of claim 32 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a substantially similar manner.
 34. The system of claim 32 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a different manner.
 35. A system for authentication of a computer user comprising: a server computer configured to communicate with a client computer; an image generator configured to generate an image containing an element in accordance with a shared modification secret known by an authenticated server computer and an authenticated user, the shared modification secret being indicative of the manner in which the image should be visibly modified by the authenticated user drawing on top of the image; a network interface configured to communicate with an unauthenticated client computer via a network and, in response to an authentication request from the unauthenticated client computer, to transmit the image to the unauthenticated client computer, the network interface being further configured to receive a modified version of the image after modification by an unauthenticated user; and an image analyzer configured to analyze the modified image to determine if the modified image is modified in accordance with the shared modification secret wherein the unauthenticated user is authenticated if the image analyzer determines that the modified image is modified in accordance with the shared modification secret.
 36. The system of claim 35 wherein the image generator and the image analyzer are part of the server computer.
 37. The system of claim 35 wherein the network interface receives the modified image from a wireless communication device associated with the authenticated user via a public land mobile network to thereby authenticate the user and the client computer.
 38. A method for authentication of an unauthenticated user of a computer, comprising: initiating an authentication process; displaying an image on the computer; accepting user input to draw on top of the displayed image and thereby visibly modify the displayed image; analyzing the modified image to determine if the modified image was modified by the user in accordance with a shared modification secret, the shared modification secret being indicative of the manner in which the displayed image should be modified by the user; and authenticating the unauthenticated user if the modified image was modified in accordance with the shared modification secret and not authenticating the unauthenticated user if the modified image was not modified in accordance with the shared modification secret.
 39. The method of claim 38 wherein displaying the image is done on a client computer, the method further comprising receiving the image for display from a server computer wherein the client computer displays the image received from the server computer.
 40. The method of claim 38 wherein the shared modification secret is shared between the server computer and an authenticated user, the method further comprising sending the modified image to the server computer and analyzing the modified image in the server computer to determine if the modified image is modified in accordance with the shared modification secret.
 41. The method of claim 39 wherein receiving the image from the server computer comprises receiving the image from an unauthenticated server computer, the method further comprising: prior to modifying the received image, analyzing the received image to determine if the received image contains an element specified in accordance with a shared secret known only to the authenticated server computer and an authenticated client computer; and authenticating the unauthenticated server computer if the received image contains the element specified in accordance with the shared secret.
 42. The method of claim 41, further comprising permitting access to the authenticated server computer if the user is authenticated.
 43. The method of claim 38, further comprising: displaying the received image; and capturing the displayed image using an imaging device on a wireless communication device, wherein modifying the received image in accordance with the shared modification secret and sending the modified image to a server computer for analysis are performed by the wireless communication device.
 44. The method of claim 38, further comprising: displaying the image received from an unauthenticated server computer; capturing the displayed image using an imaging device on a wireless communication device; prior to modifying the displayed image, analyzing the captured image to determine if the captured image contains an element specified in accordance with a shared secret known to the authenticated server computer and a wireless communication device associated with an authenticated user; and authenticating the unauthenticated server computer if the captured image contains the element specified in accordance with the shared secret.
 45. The method of claim 44, further comprising the wireless communication device sending the captured image to the server computer via a public land mobile network if the server computer has been authenticated.
 46. The method of claim 38, further comprising capturing the displayed image using an imaging device on a wireless communication device, wherein modifying the received image in accordance with the shared modification secret is performed by the wireless communication device on the captured image, wherein the wireless communication device sends the modified image to a server computer for analysis and authentication of the unauthenticated user.
 47. The method of claim 38 wherein the shared modification secret does not identify the image itself, but only has information related to the modification of the image.
 48. The method of claim 38 wherein the shared modification secret is the generation of a border around an element of a certain type in the received image.
 49. The method of claim 38 wherein the shared modification secret is a modification of an element of a certain type in the received image.
 50. The method of claim 38 wherein the shared modification secret is a modification of a plurality of elements of a certain type in the received image.
 51. The method of claim 50 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a substantially similar manner.
 52. The method of claim 50 wherein the modification of the image is the modification of each of the plurality of elements of the certain type in a different manner.
 53. The method of claim 50 wherein the modification of the image comprises a plurality of modifications to the image. 